Bypass obfuscation for safe sources

This commit is contained in:
Mark Veidemanis 2022-08-30 10:30:17 +01:00
parent 38b712ac9a
commit ba3124bd69
Signed by: m
GPG Key ID: 5ACFCEED46C0904F
6 changed files with 70 additions and 46 deletions

View File

@ -351,6 +351,7 @@ def query_results(
return {"message": message, "class": message_class} return {"message": message, "class": message_class}
else: else:
size = 20 size = 20
source = None
if "source" in query_params: if "source" in query_params:
source = query_params["source"] source = query_params["source"]
if source not in settings.OPENSEARCH_MAIN_SOURCES: if source not in settings.OPENSEARCH_MAIN_SOURCES:
@ -378,20 +379,26 @@ def query_results(
if date_query: if date_query:
if settings.DELAY_RESULTS: if settings.DELAY_RESULTS:
if source not in settings.SAFE_SOURCES:
if request.user.has_perm("core.bypass_delay"): if request.user.has_perm("core.bypass_delay"):
add_top.append(range_query) add_top.append(range_query)
else: else:
delay_as_ts = datetime.now() - timedelta(days=settings.DELAY_DURATION) delay_as_ts = datetime.now() - timedelta(
days=settings.DELAY_DURATION
)
lt_as_ts = datetime.strptime( lt_as_ts = datetime.strptime(
range_query["range"]["ts"]["lt"], "%Y-%m-%dT%H:%MZ" range_query["range"]["ts"]["lt"], "%Y-%m-%dT%H:%MZ"
) )
if lt_as_ts > delay_as_ts: if lt_as_ts > delay_as_ts:
range_query["range"]["ts"]["lt"] = f"now-{settings.DELAY_DURATION}d" range_query["range"]["ts"][
"lt"
] = f"now-{settings.DELAY_DURATION}d"
add_top.append(range_query) add_top.append(range_query)
else: else:
add_top.append(range_query) add_top.append(range_query)
else: else:
if settings.DELAY_RESULTS: if settings.DELAY_RESULTS:
if source not in settings.SAFE_SOURCES:
if not request.user.has_perm("core.bypass_delay"): if not request.user.has_perm("core.bypass_delay"):
range_query = { range_query = {
"range": { "range": {
@ -571,6 +578,7 @@ def query_results(
dedup_fields = ["msg", "nick", "ident", "host", "net", "channel"] dedup_fields = ["msg", "nick", "ident", "host", "net", "channel"]
results_parsed = dedup_list(results_parsed, dedup_fields) results_parsed = dedup_list(results_parsed, dedup_fields)
if source not in settings.SAFE_SOURCES:
if settings.ENCRYPTION: if settings.ENCRYPTION:
encrypt_list(request.user, results_parsed, settings.ENCRYPTION_KEY) encrypt_list(request.user, results_parsed, settings.ENCRYPTION_KEY)
@ -596,9 +604,11 @@ def query_results(
if query: if query:
context["query"] = query context["query"] = query
if settings.DELAY_RESULTS: if settings.DELAY_RESULTS:
if source not in settings.SAFE_SOURCES:
if not request.user.has_perm("core.bypass_delay"): if not request.user.has_perm("core.bypass_delay"):
context["delay"] = settings.DELAY_DURATION context["delay"] = settings.DELAY_DURATION
if settings.RANDOMISATION: if settings.RANDOMISATION:
if source not in settings.SAFE_SOURCES:
if not request.user.has_perm("core.bypass_randomisation"): if not request.user.has_perm("core.bypass_randomisation"):
context["randomised"] = True context["randomised"] = True
return context return context

View File

@ -72,7 +72,7 @@
<div class="is-active" data-content="1"> <div class="is-active" data-content="1">
<h4 class="subtitle is-4">Scrollback of {{ channel }} on {{ net }}{{ num }}</h4> <h4 class="subtitle is-4">Scrollback of {{ channel }} on {{ net }}{{ num }}</h4>
{% include 'modals/context_table.html' %} {% include 'modals/context_table.html' %}
{% if user.is_superuser and src == 'irc' %} {% if user.is_superuser and source == 'irc' %}
<form method="PUT"> <form method="PUT">
<article class="field has-addons"> <article class="field has-addons">
<article class="control is-expanded has-icons-left"> <article class="control is-expanded has-icons-left">

View File

@ -102,7 +102,7 @@
<i class="fa-solid fa-circle"></i> <i class="fa-solid fa-circle"></i>
</span> </span>
{% endif %} {% endif %}
{% if item.src == 'irc' %} {% if item.source == 'irc' %}
<a <a
hx-headers='{"X-CSRFToken": "{{ csrf_token }}"}' hx-headers='{"X-CSRFToken": "{{ csrf_token }}"}'
hx-post="{% url 'modal_drilldown' %}" hx-post="{% url 'modal_drilldown' %}"
@ -156,7 +156,7 @@
hx-post="{% url 'modal_context_table' %}" hx-post="{% url 'modal_context_table' %}"
hx-vals='{"net": "{{ net }}", hx-vals='{"net": "{{ net }}",
"num": "{{ num }}", "num": "{{ num }}",
"src": "{{ src }}", "source": "{{ source }}",
"channel": "{{ channel }}", "channel": "{{ channel }}",
"time": "{{ time }}", "time": "{{ time }}",
"date": "{{ date }}", "date": "{{ date }}",

View File

@ -245,7 +245,7 @@
hx-post="{% url 'modal_context' %}" hx-post="{% url 'modal_context' %}"
hx-vals='{"net": "{{ row.cells.net|escapejs }}", hx-vals='{"net": "{{ row.cells.net|escapejs }}",
"num": "{{ row.cells.num|escapejs }}", "num": "{{ row.cells.num|escapejs }}",
"src": "{{ row.cells.src|escapejs }}", "source": "{{ row.cells.src|escapejs }}",
"channel": "{{ row.cells.channel|escapejs }}", "channel": "{{ row.cells.channel|escapejs }}",
"time": "{{ row.cells.time|escapejs }}", "time": "{{ row.cells.time|escapejs }}",
"date": "{{ row.cells.date|escapejs }}", "date": "{{ row.cells.date|escapejs }}",
@ -256,7 +256,7 @@
"dedup": "{{ params.dedup }}"}' "dedup": "{{ params.dedup }}"}'
hx-target="#modals-here" hx-target="#modals-here"
hx-trigger="click" hx-trigger="click"
href="/?modal=context&net={{row.cells.net|escapejs}}&num={{row.cells.num|escapejs}}&src={{row.cells.src|escapejs}}&channel={{row.cells.channel|urlsafe}}&time={{row.cells.time|escapejs}}&date={{row.cells.date|escapejs}}&index={{params.index}}&type={{row.cells.type}}&mtype={{row.cells.mtype}}&nick={{row.cells.mtype|escapejs}}"> href="/?modal=context&net={{row.cells.net|escapejs}}&num={{row.cells.num|escapejs}}&source={{row.cells.src|escapejs}}&channel={{row.cells.channel|urlsafe}}&time={{row.cells.time|escapejs}}&date={{row.cells.date|escapejs}}&index={{params.index}}&type={{row.cells.type}}&mtype={{row.cells.mtype}}&nick={{row.cells.mtype|escapejs}}">
{{ row.cells.msg }} {{ row.cells.msg }}
</a> </a>
</td> </td>

View File

@ -216,10 +216,12 @@ def hash_lookup(user, data_dict, supplementary_data=None):
hash_list = SortedSet() hash_list = SortedSet()
denied = [] denied = []
for key, value in list(data_dict.items()): for key, value in list(data_dict.items()):
print("DATA DICT", data_dict)
if "source" in data_dict: if "source" in data_dict:
if data_dict["source"] in settings.SAFE_SOURCES: if data_dict["source"] in settings.SAFE_SOURCES:
continue continue
if "src" in data_dict:
if data_dict["src"] in settings.SAFE_SOURCES:
continue
if supplementary_data: if supplementary_data:
if "source" in supplementary_data: if "source" in supplementary_data:
if supplementary_data["source"] in settings.SAFE_SOURCES: if supplementary_data["source"] in settings.SAFE_SOURCES:

View File

@ -292,7 +292,16 @@ class DrilldownContextModal(APIView):
nicks_sensitive = None nicks_sensitive = None
query = False query = False
# Create the query params from the POST arguments # Create the query params from the POST arguments
mandatory = ["net", "channel", "num", "src", "index", "nick", "type", "mtype"] mandatory = [
"net",
"channel",
"num",
"source",
"index",
"nick",
"type",
"mtype",
]
invalid = [None, False, "", "None"] invalid = [None, False, "", "None"]
query_params = {k: v for k, v in request.data.items() if v} query_params = {k: v for k, v in request.data.items() if v}
@ -306,8 +315,11 @@ class DrilldownContextModal(APIView):
# Lookup the hash values but don't disclose them to the user # Lookup the hash values but don't disclose them to the user
if settings.HASHING: if settings.HASHING:
if query_params["source"] not in settings.SAFE_SOURCES:
SAFE_PARAMS = deepcopy(query_params) SAFE_PARAMS = deepcopy(query_params)
hash_lookup(request.user, SAFE_PARAMS) hash_lookup(request.user, SAFE_PARAMS)
else:
SAFE_PARAMS = deepcopy(query_params)
else: else:
SAFE_PARAMS = query_params SAFE_PARAMS = query_params
@ -346,7 +358,7 @@ class DrilldownContextModal(APIView):
SAFE_PARAMS["sorting"] = "desc" SAFE_PARAMS["sorting"] = "desc"
annotate = False annotate = False
if query_params["src"] == "irc": if query_params["source"] == "irc":
if query_params["type"] not in ["znc", "auth"]: if query_params["type"] not in ["znc", "auth"]:
annotate = True annotate = True
# Create the query with the context helper # Create the query with the context helper
@ -354,7 +366,7 @@ class DrilldownContextModal(APIView):
query_params["index"], query_params["index"],
SAFE_PARAMS["net"], SAFE_PARAMS["net"],
SAFE_PARAMS["channel"], SAFE_PARAMS["channel"],
query_params["src"], query_params["source"],
SAFE_PARAMS["num"], SAFE_PARAMS["num"],
size, size,
type=type, type=type,
@ -374,13 +386,13 @@ class DrilldownContextModal(APIView):
return render(request, self.template_name, results) return render(request, self.template_name, results)
if settings.HASHING: # we probably want to see the tokens if settings.HASHING: # we probably want to see the tokens
if query_params["src"] not in settings.SAFE_SOURCES: if query_params["source"] not in settings.SAFE_SOURCES:
if not request.user.has_perm("core.bypass_hashing"): if not request.user.has_perm("core.bypass_hashing"):
for index, item in enumerate(results["object_list"]): for index, item in enumerate(results["object_list"]):
if "tokens" in item: if "tokens" in item:
results["object_list"][index]["msg"] = results["object_list"][ results["object_list"][index]["msg"] = results[
index "object_list"
].pop("tokens") ][index].pop("tokens")
# item["msg"] = item.pop("tokens") # item["msg"] = item.pop("tokens")
# Make the time nicer # Make the time nicer
@ -390,7 +402,7 @@ class DrilldownContextModal(APIView):
context = { context = {
"net": query_params["net"], "net": query_params["net"],
"channel": query_params["channel"], "channel": query_params["channel"],
"src": query_params["src"], "source": query_params["source"],
"ts": f"{query_params['date']} {query_params['time']}", "ts": f"{query_params['date']} {query_params['time']}",
"object_list": results["object_list"], "object_list": results["object_list"],
"time": query_params["time"], "time": query_params["time"],